Many devices today make use of computational elements controlled by software instructions embedded in the device to give the device its functional personality. This software, often called firmware because of its persistent association with the device hardware operation, was historically placed in read-only memory (ROM) and was activated when the device was powered on. With time, it was recognized that firmware, like other forms of software, might be subject to coding mistakes and that over the lifetime of the device there was a need to modify the functional characteristics of the device, for example, to adapt it to a new target environment. This need to repair firmware coding errors and/or modify firmware functionality led to the use of field-programable random-access memory (RAM) as a repository for on-device firmware. This provided an easier means of modification than replacing ROM chips.
As a result of this evolution, typically, firmware can be updated without physical hardware modification, using removable digital media or a network connection as the mechanism by which new firmware is communicated to the device. The extensive increase in network connectivity in recent years has resulted in an increase in the number of firmware-driven devices that allow personality updates. With the increasing number of update capable devices may come significant security problems. With the ubiquitous nature of firmware-driven devices, such security problems may extend to homes, businesses and other areas where such devices are utilized. For example, personal computers, pagers, cell phones, satellite receivers, set-top boxes, cable and DSL modems, routers, digital TVs, or even appliances like refrigerators, sewing machines, and ovens may all be susceptible to such security problems.
In a personal computer, firmware instructions are generally referred to as a Basic Input-Output System (BIOS). A BIOS typically contains hardware diagnostics, code which initializes and enables/disables certain hardware features (for example boot from network, system board sound or display capability, memory parity, I/O bus speed, DMA, etc.), and instructions enabling the operating system and application programs to interface with the computer hardware. Parameters governing branches through the initialization code to enable/disable or configure certain hardware features are often stored in battery-backed-up CMOS RAM. All of these instructions, typically, must be executed or instantiated as an application program interface (API) successfully in order for the computer to boot.
It is well known in the art that the hardware in which the firmware (e.g., PC BIOS) instructions reside may be a field-programmable ROM such as an EE-PROM or a Flash RAM. Such hardware designs are desirable in allowing the manufacturer to update the firmware after manufacture, for example, to enable new capabilities or fix problems. However, storing the BIOS in a flash memory may also open new vulnerabilities that can be exploited by hackers. For example, some of the approximately 50,000 computer viruses known today—such as the Chernobyl virus (known as CIH and W95.CIH)—overwrite the BIOS with invalid instructions, completely disabling the computer and requiring physical replacement of the BIOS chip.
However, security problems may extend beyond the malicious third parties attempting to damage devices in customers' hands. It is well known that many devices are built on generic hardware, where the sole difference between several models may be the sticker on the front panel, the firmware load in the resident flash, and the price. In such devices, a customer may, for example, change an inexpensive device into a more expensive device merely by updating the firmware. For example, a manufacturer of Compact Disk Read Write (CDRW) drive mechanisms recently began to receive service calls about its named brand $300 6×-write-speed drives which turned out to be $100 OEM 4×-write-speed drives with their named brand firmware update installed. Accordingly, manufacturers of devices that use easily updateable firmware may be faced with significant security problems that are complicated by situations where the device executes non-firmware application code, and/or the device owner is complicit in the hacking activity.